Spring oauth2 指定受保护和不受保护的资源

Posted

技术标签:

【中文标题】Spring oauth2 指定受保护和不受保护的资源【英文标题】:Spring oauth2 specify protected and unprotected resources 【发布时间】:2015-03-19 09:14:04 【问题描述】:

我已经在我的 Spring MVC Web 应用程序中实现了 oauth2。现在我已经保护和未受保护的资源,例如我所有的网络服务和帐户(用于密码重置、电子邮件验证等)。我当前的 spring 安全性正在阻止所有使用访问令牌的请求,即使我指定 Accounts 可以完全访问。有人可以纠正如何定义受保护和不受保护的资源。

网页配置

<!-- Spring Root -->
<context-param>
    <param-name>contextClass</param-name>
    <param-value>
        org.springframework.web.context.support.AnnotationConfigWebApplicationContext
    </param-value>
</context-param>
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>portal</param-value>
</context-param>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>SpringDispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextClass</param-name>
        <param-value>
            org.springframework.web.context.support.AnnotationConfigWebApplicationContext
        </param-value>
    </init-param>
    <!-- <init-param> <param-name>contextConfigLocation</param-name> <param-value>portal</param-value> 
        Modify this one to get clean URL without portal by plain "/" </init-param> -->
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>SpringDispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

oAuth2 网络安全

  <!-- Definition of the Authentication Service -->
  <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
  xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
        <anonymous enabled="false"/>
         <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
         <!-- include this only if you need to authenticate clients via request parameters -->
         <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
          <access-denied-handler ref="oauthAccessDeniedHandler"/>
   </http>

   <http pattern="/Accounts" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
  xmlns="http://www.springframework.org/schema/security">
          <intercept-url pattern="/Accounts" access="IS_AUTHENTICATED_FULLY"/>
          <anonymous enabled="true"/>
          <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
          <!-- include this only if you need to authenticate clients via request parameters -->
          <!-- <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
          <access-denied-handler ref="oauthAccessDeniedHandler"/> -->
  </http>

   <!-- Protected resources -->
   <http pattern="/**"
  create-session="never"
  entry-point-ref="oauthAuthenticationEntryPoint"
  access-decision-manager-ref="accessDecisionManager"
  xmlns="http://www.springframework.org/schema/security">
          <anonymous enabled="false"/>
          <intercept-url pattern="/**"
               access="ROLE_USER"/>
          <custom-filter ref="resourceServerFilter"
               before="PRE_AUTH_FILTER"/>
          <access-denied-handler
        ref="oauthAccessDeniedHandler"/>
 </http>

【问题讨论】:

【参考方案1】:

我通过将 /API/ControllerName 添加到我的所有请求映射并将受保护的资源更改为 /API/** 来修复它

 @Controller
 @RequestMapping(value = "/API/ProductManagement")
 public class ProductManagementController extends BaseController 
    //Implementation
 

oAuth2 网络安全

<http pattern="/Accounts" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
  xmlns="http://www.springframework.org/schema/security">
      <intercept-url pattern="/Accounts" access="IS_AUTHENTICATED_FULLY"/>
      <anonymous enabled="false"/>
      <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
      <!-- include this only if you need to authenticate clients via request parameters -->
      <!-- <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
      <access-denied-handler ref="oauthAccessDeniedHandler"/> -->
</http>

<!-- Protected resources -->
<http pattern="/API/**"
  create-session="never"
  entry-point-ref="oauthAuthenticationEntryPoint"
  access-decision-manager-ref="accessDecisionManager"
  xmlns="http://www.springframework.org/schema/security">
       <anonymous enabled="false"/>
       <intercept-url pattern="/**"
               access="ROLE_USER"/>
       <custom-filter ref="resourceServerFilter"
               before="PRE_AUTH_FILTER"/>
       <access-denied-handler
        ref="oauthAccessDeniedHandler"/>
</http>

【讨论】:

以上是关于Spring oauth2 指定受保护和不受保护的资源的主要内容,如果未能解决你的问题,请参考以下文章

Spring Security SAML 可信证书条目不受密码保护

okta oauth2 Spring security 所有受保护的页面重定向到登录

Spring OAuth2 多服务器注解配置(资源&授权)

如何在 Spring 中使用 OAuth2 和 JWT 令牌代表特定用户调用受保护的资源?

Spring Security:OAuth 在获取访问令牌之前陷入重定向循环,但初始页面旁边的任何页面都不受保护

使用Spring Security登录认证,通过Oauth2.0开发第三方授授权访问资源项目详解